Configuring LDAP server access

You must configure LDAP server access to an SVM before LDAP accounts can access the SVM . You can use the vserver services name-service ldap client create command to create an LDAP client configuration on the SVM . You can then use the vserver services name-service ldap create command to associate the LDAP client configuration with the SVM .

Before you begin

You must have installed a CA-signed server digital certificate on the SVM .
Refer to Generating and installing a CA-signed server certificate.
You must be a cluster or SVM administrator to perform this task.

About this task

Most LDAP servers can use the default schemas provided by ONTAP:

AD-IDMU (Windows 2008, Windows 2012 and later AD servers)
AD-SFU (Windows 2003 and earlier AD servers)
RFC-2307 (UNIX LDAP servers)

It is best to use the default schemas unless there is a requirement to do otherwise. If so, you can create your own schema by copying a default schema and modifying the copy. For more information, see the NFS Configuration Power Guide .

NFS configuration

Create an LDAP client configuration on an SVM : vserver services name-service ldap client create -vserver SVM_name -client-config client_configuration -servers LDAP_server_IPs -schema schema -use-start-tls true|false
Note
Start TLS is supported for access to data SVMs only. It is not supported for access to admin SVMs .
For complete command syntax, see the worksheet Configuring LDAP or NIS server access.
Example
The following command creates an LDAP client configuration named corp on the SVM engData . The client makes anonymous binds to the LDAP servers with the IP addresses 172.160.0.100 and 172.16.0.101 . The client uses the RFC-2307 schema to make LDAP queries. Communication between the client and server is encrypted using Start TLS.
cluster1::>vserver services name-service ldap client create -vserver engData -client-config corp -servers 172.16.0.100,172.16.0.101 -schema RFC-2307 -use-start-tls true
Associate the LDAP client configuration with the SVM : vserver services name-service ldap create -vserver SVM_name -client-config client_configuration -client-enabled true|false
For complete command syntax, see the worksheet Configuring LDAP or NIS server access.
Example
The following command associates the LDAP client configuration corp with the SVM engData , and enables the LDAP client on the SVM .
cluster1::>vserver services name-service ldap create -vserver engData -client-config corp -client-enabled true
Note
The vserver services name-service ldap create command performs an automatic configuration validation and reports an error message if ONTAP is unable to contact the name server.

Validate the status of the name servers by using the vserver services name-service ldap check command.

The following command validates LDAP servers on the SVM vs0.

Example

cluster1::> vserver services name-service ldap check -vserver vs0
| Vserver: vs0                                                |
| Client Configuration Name: c1                               |
| LDAP Status: up                                             |
| LDAP Status Details: Successfully connected to LDAP server 
 "10.11.12.13".                                              |

Give documentation feedback